1.2.8 build failed (SSL certificate problem: certificate has expired)

Running builds inside your kindly provided crux docker container for 1.2.8 I’m now getting SSL certificate problem for “linux firmware”.

Error Snippet -

Building dependency tree…
Reading state information…
Reading extended state information…
Initializing package states…
Reading task descriptions…
Building tag database…
Get: 1 Index of /debian jessie/main grub-efi-amd64 amd64 2.02~beta2-22+deb8u1 [73.0 kB]
Fetched 73.0 kB in 0s (611 kB/s)
I: Retrieving Linux Firmware - commit aa95e90b2c638f1ca6647d12b2d1b18284428f9c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0curl: (60) SSL certificate problem: certificate has expired
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
E: Received HTTP error code “000” when downloading Linux Firmware …
E: config/hooks/live/40-linux-firmware.chroot failed (exit non-zero). You should check for errors.
P: Begin unmounting filesystems…
P: Saving caches…


Hi, same issue I experience when building from crux container. Issue is the Let’s Encrypt root is problematic. Specifically, Let’s Encrypt root DST Root CA X3 expired on the 9/30 and certificates chaining up to it fail with an expired certificate message.

Handled via ⚓ T3911 Expired LetsEncrypt CA leads to unbuildable images

1 Like

Have a work around you could try @riorescue , within the spawned container.

Run: “sudo dpkg-reconfigure ca-certificates”

On the first screen that prompts “Trust new certificates from certificate authorities?” choose “yes”. On the next screen press the down arrow key on your keyboard until you find mozilla/DST_Root_CA_X3.crt, press the space bar to deselect it (the [*] should turn into [ ]) and press Enter